Re: [xmpp] Stephen Farrell's No Objection on draft-ietf-xmpp-posh-04: (with COMMENT)

Peter Saint-Andre - &yet <> Wed, 05 August 2015 22:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D42B31ACED9 for <>; Wed, 5 Aug 2015 15:55:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WuHbU1mqy4G2 for <>; Wed, 5 Aug 2015 15:55:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D78721ACECC for <>; Wed, 5 Aug 2015 15:55:30 -0700 (PDT)
Received: by ioii16 with SMTP id i16so64630206ioi.0 for <>; Wed, 05 Aug 2015 15:55:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=xLNwQmrmQRF9MygKnpCA6gTX9sD7yvrOOYrTRrmWbKg=; b=ZMhKd6qqOl8swLhaZqdaPlzk7eRUOUNB+C6giJ+/0RBhqXi6RwT7sVuclYBBQMamtl 3IRwnFf4zjgJQPx6mG9evGXgwZnXVM1TlWPIe4mMKlnJ0HCvOn+xfGCG8ESaESajQHO1 OROERpF+E1GbYUhWbpn/csH51oOp7YYSPNXDR9DpoSGzKz07dtJGOzHbuB5Plbut9hc8 Njt5LwUHGB9zX8KEfwfbdPh87Xw/d5YWns8EinF5g9aURYhoz0fkw4HD/V+9xe4viuAO uYCQNW4aZ9l7x89waMuZ5z6xaYe5je4IjUhzL6naU1M+6FnL+gjTCABNb0f5iEdxFMGs jxOA==
X-Gm-Message-State: ALoCoQnI9upyEaMNOM09gNBXKbctsAOZc461VSVD72lLyEVILPwKdEzhn5wurYi0XIRMKZE2+VA6
X-Received: by with SMTP id g4mr12579488ioe.66.1438815330226; Wed, 05 Aug 2015 15:55:30 -0700 (PDT)
Received: from aither.local ( []) by with ESMTPSA id o19sm30702igi.14.2015. (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Aug 2015 15:55:28 -0700 (PDT)
To: Stephen Farrell <>, The IESG <>
References: <>
From: Peter Saint-Andre - &yet <>
Message-ID: <>
Date: Wed, 5 Aug 2015 16:55:26 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [xmpp] Stephen Farrell's No Objection on draft-ietf-xmpp-posh-04: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Aug 2015 22:55:33 -0000

Hi Stephen, this is a quick reply because time is short here (also, I 
will be offilne tomorrow and Friday).

On 8/5/15 9:02 AM, Stephen Farrell wrote:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-xmpp-posh-04: No Objection
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> Please refer to
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> 3.1: fingerprints: sigh, I wish we could agree to just
> do this kind of thing a few times and not re-do it over
> and over and over (but we always do;-). RFC6920 could
> probably have been used there (caveat lector: that's an
> RFC I'm a co-author on).

Sorry, I should have thought of RFC 6920 in this context. :(

Matt and I will look at this. (He is offline this week so we won't be 
able to sync up until then.) We will also reach out to implementers 
because as I recall we chose this approach in part for ease of 

> 3.1: fingerprints - your hash input here is the entire
> cert so the value will be out of date when a cert
> expires (or is revoked). While 3.3 makes clear that
> a match on any of these is ok, I think it'd be good
> to say here that the hashes may be of different certs.

Good points all.

> You do clarify in section 7, but I'd suggest moving
> section 7 into 3.1 myself. (I don't object if you
> prefer to not change though.)

I think that might be a sensible change.

> 3.2: A "MUST use HTTPS" statement might have been nice
> there. It's not absolutely needed but would maybe be
> something to help an implementer not get this wrong by
> just using some generic URL handling library without a
> check for scheme==https.

We have been assuming "MUST use HTTPS" but it seems that we didn't quite 
come out and say that.

> section 6: surely the cache expiry ought be the earliest
> of the possibly two POST expires or the X.509 notAfter?

We were thinking specifically of HTTPS-related caching, but yes I 
certainly see your point!

> section 8: see my comments on draft-dna, I think the
> .well-known URIs should be here and not there. But
> it works as-is too, even if ickky:-)

We had some debate about exactly where things belonged, but decided in 
the end that the xmpp-related registrations belonged in the -dna document.

> section 8: I dislike the "{servicedesc}" thing, but
> that's just me. Breaking down servicedesc further into
> "{service}.{proto}" is worse though, I don't get why
> that's a good idea at all, nor the "_" convention. If
> you want/need all that you should've just registered
> "posh" as a well-known and then said the the rest of the
> pathname was whatever structure you needed and not
> possibly end up registering loads of DNA .well-known
> URLs.

See other thread.

> section 9: section 8 is IMO an IANA section, so you're
> fibbing here:-)

Section 8 doesn't make any requests of the IANA, so it doesn't feel like 
material for a standard IANA considerations section.

> - 11.2: odd one this but [HASH-NAMES] might be better
> in 11.1. I won't try force you to do that though as
> it may be messy.

I'm agnostic on that, I suppose.


Peter Saint-Andre